IIS Security

We've a vertical package that includes a web based portal. (quite common for many Enterprise packages)

The problem lies in some of the requirements that the company puts on running this portal.

The major one is that of adding the IUSR_machinename account to the local admin group.
I know this is horrible, but need specific reasons why this shouldn't be done so that I can bring it to my boss and get it fixed.